Click to learn more about author Beth Shulkin.
Personally identifiable information (PII) is
any data used to identify an individual, such as social security number, phone
number, or physical address. For years, merchants, banks, government agencies,
and countless other organizations have relied on PII to service their
customers, for processing transactions of online shoppers, approving loans for
home buyers, issuing tax returns to citizens, and more.
While PII is useful for enabling digital transactions, it can also be harmful if compromised. Data breaches at retailers, health-related organizations, financial institutions, and federal agencies can put an individual’s PII at risk and make them vulnerable to identity theft and other forms of fraud. It can also be costly to the breached organization. According to IBM’s 2020 Cost of Data Breach Report, the average total cost of a data breach is $3.86M globally, with the most compromised and costliest type of record being customer PII at $150 per record.
How
Stolen PII Puts Individuals at Risk
In the early days of digital fraud, it was a
crime committed mostly by hackers acting independently. But over the years, it
has become a domain of organized crime, with large groups targeting physical
goods sold online to make real money. Today, fraud has accelerated and grown
even more sophisticated due to the rise of e-commerce, mobile payments, and
computing power. Many of the same technologies that companies rely on to
innovate and rapidly introduce new products and services are also being adopted
by fraudsters.
The increasing sophistication of today’s fraud can put individuals at even greater risk should their PII fall into the wrong hands. It can be used to create synthetic identities, where fraudsters combine PII from real people with false information to open bank accounts and credit cards and act like legitimate customers to build a transaction history. They then run up charges which they don’t pay for. McKinsey & Company estimates that synthetic identity fraud is the fastest-growing type of financial crime in the United States, and Aite Group found it costs U.S. lenders an estimated $10,000 to $15,000 per incident.
Gaining access to someone’s PII makes it
possible to not only create new accounts but take over an individual’s existing
accounts. Once in control, fraudsters can change the real shipping address and
use a card on file to purchase goods and have them shipped to the fraudster’s
address.
The
Introduction of New Regulations to Protect PII
As fraudsters’ methods have become more advanced, new government regulations have emerged to protect consumer data and identities. In the European Union, the Payment Services Directive (PSD2) governs how banks and merchants share consumer data to facilitate payments, and the General Data Protection Regulation(GDPR) mandates stringent controls over the collection and use of consumer data. In the U.S., the California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect. These laws carry the risk of stiff penalties for non-compliance and reflect the strong attitudes toward data privacy.
The
Shift from Static to Dynamic PII
Just as fraud has evolved over time, so has the concept of PII. According to the U.S. General Services Administration:
“Non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”
For this reason, the definition of PII continues to change as new information becomes available, and trends emerge.
Historically, PII has been static, meaning the elements remain the same over time. Static PII typically comprises data like a social security number, driver’s license ID, date of birth, or any other national identifier. But due to the sophistication of fraud attacks and recent major PII data breaches, such as Equifax in 2017 and Starwood Hotels in 2018, historical and static methods of verifying an identity have become ineffective for authentication. In fact, a survey by RSA found that 45 percent of Americans have had their personal information compromised by a data breach in the last five years.
However, as the world has become increasingly
mobile and tech-driven, new dynamic PII elements have emerged, such as IP
addresses, email addresses, device IDs, behavior, and biometrics. These PII
types are fluid (or change frequently), making them less susceptible to
compromise than their static PII counterparts. And by examining the
relationships between these data elements, they become even more powerful as a
tool in digital identity verification.
How
Dynamic PII Better Assesses Fraud Risk
Dynamic PII elements fit together like puzzle
pieces to create a composite picture of an individual. Device IDs, for
instance, can show whether an individual has used a browser to conduct a
transaction or log into their bank account. At the same time, behavioral data
can provide a historical look back at an individual’s purchases to provide red
flags or signal anomalies such as a consumer transacting across dozens of
merchants in a day or two.
With dynamic PII, organizations can rely less
on static PII as a definitive indicator of a customer’s identity and instead
focus on PII patterns to determine risk. Some patterns might include how often
a phone number or shipping address is used or the number of times an email
address is paired with a specific IP address. By focusing on data patterns
instead of precise identification, organizations can more easily spot cases of
fraudulent activity while, at the same time, avoid interfering with valid users
and causing unnecessary friction in the transaction process.
The
Importance of Securing Customer PII
Regardless of the type of PII organizations
use, it’s crucial that they take steps to protect it. Customer information is
both an asset and a liability. The loss or misuse of PII can result in legal
ramifications and cause irreparable damage to customer trust. The protection
and handling of customer data should be a critical keystone at the base of
every business. Some best practices for doing so include:
- Understand the data sources. To determine how (and to which extent) they should protect PII, organizations should first consider where the data is coming from. For instance, a customer’s billing information is much more sensitive than web traffic data and, therefore, will require much more stringent data protection methods.
- Ensure all data serves a clear and distinct purpose. Some data will fulfill short-term purposes (such as technical logs used for debugging purposes), whereas other data will fulfill longer-term purposes (e.g., billing records until the next tax season). Understanding the purpose of the collected PII will help guide decisions about how it should be stored and protected.
- Devalue data no longer in use. It can be tempting for organizations to retain records indefinitely, but data does not stay relevant forever; it will likely grow stale and diminish in value over time. Data kept beyond its usefulness not only costs the company money to retain but also increases their liability if hacked. In order to keep PII relevant and low-risk, companies should consider aging off data that is no longer needed, with the goal of keeping it for the minimal time necessary to fulfill its purpose.
In a world where technology is rapidly
advancing, organizations need to consider how they will keep up with the
innovative tactics of today’s fraudsters. It isn’t enough to just create barriers
for users that appear remotely fraudulent. Such broad-brush approaches risk
alienating modern consumers who demand secure yet seamless experiences. By
understanding how PII has evolved, leveraging dynamic elements to evaluate
transactions, and prioritizing the protection of PII, businesses can be one
step closer to better assessing and mitigating risk and providing enhanced experiences for their customers.
Source: https://www.dataversity.net/how-personally-identifiable-information-pii-is-evolving/
